SOC 2® Just Became Mandatory
One client call can turn a cybersecurity “nice to have” into a “must-have.” For software development company Summit Imaging, that call came from a large university medical center that was considering working with Summit Imaging—but only if it had a SOC 2® report. Knowing they needed a push (and expert insight) to formalize processes they had already started, Summit called on Pratum for its SOC 2® work—and found a partner for the long haul.
Experts in Medical Imaging
Summit Imaging, a 22-year-old company based near Kansas City, Missouri, offers two software applications for endoscopy clinics and other visible light imaging applications in the medical field.
Summit Imaging’s EndoManager suite covers image capture; physician documentation and reporting; and integrating with electronic medical records (EMR) systems such as Cerner, Epic or Meditech. Summit Imaging’s ScopeCycle program helps organizations manage cleaning protocols for equipment (known as reprocessing).
Hundreds of Summit Imaging customers in the United States, Canada and Australia range from single-physician clinics to large, multisite healthcare systems. Many of the company’s employees serve as software developers and help desk technicians who frequently log into clients’ environments via VPNs to directly work on issues.
The Push for Third-Party Verification
While Summit Imaging hasn’t faced specific HIPAA compliance requirements so far (personal healthcare information is all stored on clients’ systems) the company trains it technicians to follow HIPAA guidelines while handling tech support issues inside customers’ systems. “We’re handling PHI, so we’re always very cognizant of security across the board,” says Chief Executive Officer Darren Meyer.
Driven by that mindset, Summit Imaging had many solid cybersecurity policies in place, but lacked an overarching policy strategy. “From a technical standpoint, they were meeting a lot of the requirements before we started working with them,” Pratum virtual CISO Matthew McGill says. “But they had really limited governance and didn’t know how to go about standing up a formal security program.”
“We had started this process loosely ourselves,” Chief Operating Officer Evan Doss says. “But we quickly learned that professional guidance would be required to get us across the finish line.”
Pursuing SOC 2®
When that call came in from the university medical center requiring a SOC 2® report, Summit Imaging decided it was time to call in a pro.
The customers’ requirement wasn’t a surprise. “They weren’t the first to ask for a SOC 2® report,” Darren says. “But they were the first to require it.” As Summit Imaging scaled up to serving larger healthcare organizations, they knew they increasingly faced professional risk managers who would require third-party verification of vendors’ security postures.
Like many other companies, Summit Imaging recognized three advantages to hiring a company like Pratum to help them prepare for a SOC 2® exam rather than going it alone:
- The process would go faster
- Summit Imaging wouldn’t have to devote a large share of its internal resources to the process
- They were almost assured of getting a positive SOC 2® report on the first try with experts guiding their preparation
Picking a Partner
From the earliest calls, Darren liked Pratum’s capabilities and philosophy for the SOC 2® Type 1 process. He liked that the consultants Summit Imaging met during the selection process would actually be doing the work. “We’re a small business, and I wanted to work with another small business,” Darren says. “We could’ve gone with some larger companies, but I was looking for that personalized touch.”
Pratum won Evan over with a clear vision for Summit Imaging's future.
We could tell right away that Pratum was not just about getting the SOC 2® done and being finished with it. They had options to come on board as a security partner with us for years to come. We knew they could continue this journey with us for HIPAA and SOC 2® Type 2.Evan Doss Chief Operating Officer - Summit Imaging
Summit Imaging also put a high value on Pratum’s longstanding partnership with LWBJ, an accounting firm that performs the audit side of the SOC 2® process. “It certainly does make it easier that Pratum knows what to expect and knows what to prep us for,” Darren says.
SOC 2® and Beyond
Summit Imaging’s SOC 2® Type 1 report provided quick payback in multiple areas, including saving staff time. The security questionnaires that many health systems send their vendors cover 200-300 questions and take most of a week to fill out. “Now we can eliminate a lot of that by sending them our SOC 2® report,” Evan says.
The SOC 2® report has also helped Summit Imaging with its cyber insurance carrier by checking multiple boxes required to renew the cyber insurance policy.
Summit Imaging’s other work with Pratum has included a limited risk assessment and a tabletop exercise to test their incident response plan. And in late 2020, they signed up for Pratum’s vCISO service, driven again by customer requests.
“Summit Imaging wasn’t always seeing how they could point to their compensating controls to show why they didn’t need to have a control exactly like the one the client described,” Pratum’s McGill says. “They were implementing a lot of different controls to satisfy a lot of clients.” Matthew has helped Summit Imaging successfully push back on some client requests that differ only in language from Summit Imaging’s existing policies.
As Summit Imaging grows, they’re counting on Pratum to chart their cybersecurity path. In the near future, the team will move beyond basic compliance and perform a full risk assessment of the organization. They will also evaluate new network infrastructure that would increase security and decrease costs.
“Pratum is our expert helping us with what we don’t know we don’t know,” Evan says. “It’s not what is required now, but what is going to be required in the future that we don’t know about. We feel like we have someone to call up and consult with on future projects.”